Fail fast - no heavy work before auth validation

Severity: Critical

Check automatically:

1. Sample protected endpoints and check order of operations:

   # Find route handlers with auth
   grep -rn -A20 "isAuthenticated\|requireAuth\|authMiddleware\|protect" \
     --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules | head -50
   

2. Look for expensive operations that might run before auth:

   # Database calls, file reads, external API calls
   grep -rn "prisma\.\|mongoose\.\|sequelize\.\|fetch(\|axios\.\|fs\.\|readFile" \
     --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules | head -30
   

3. Review middleware order in route definitions:

   • Auth middleware should be first (or near-first) in chain
   • Body parsing is OK before auth
   • Database queries, file uploads, external calls should be AFTER auth

4. Check for file upload handling:

   # Multer, formidable, busboy - file uploads before auth is dangerous
   grep -rn "multer\|formidable\|busboy\|upload\." \
     --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules
   

Pass criteria:

• Auth middleware runs before business logic
• No database queries before auth validation
• No file uploads processed before auth validation
• No external API calls before auth validation

Fail criteria:

• Database queries in middleware that runs before auth
• File uploads accepted before checking auth
• Heavy computation or external calls before auth check
• Request body fully parsed/validated before auth (for large payloads)

If heavy work found before auth, ask user: "Found [database query/file upload/etc.] running before auth check in [endpoint]. Is this intentional? Unauthenticated requests shouldn't trigger expensive operations."

Evidence to capture:

• Middleware order for sample endpoints
• Any expensive operations found before auth
• File upload handling pattern

---